[strongSwan] duplicate IKE SA

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Wed Oct 10 15:29:59 CEST 2012


On Wed, Oct 03, 2012 at 04:37:31PM +0200, Tobias Brunner wrote:
> > * Both peers initiated an IKE SA and CHILD SAs based on these.
> >   Why wasn't one of them deleted as a duplicate?
> >   This issue showed up in about 50% of my experiments.
> 
> If both peers initiate the same IKE_SA within a small time frame the
> duplicate can't be detected.  Essentially, whenever the daemon processes
> and builds the IKE_AUTH response for the respective SAs concurrently.

Hi Tobias,

I forgot to mention the impact of this issue.  In the case described
here, all ESP-protected traffic of this connection is dropped at the
receiver, in each direction.

As can be seen in the attachments, I have duplicate IKE SAs, and each is
used to establish a Child SA.  Charon installs both Child SAs in the
kernel, but just one set of policy rules. This policy points to one of
the two Child SAs, which will then be used for outgoing traffic, and
where incoming traffic matching the policy is expected to arrive.  The
other peer does the same on its side.

But it is not determined if both peers will install their policy for the
same Child SA.  When the remote peer sends traffic over a Child SA not
pointed to by the local peer's policy, it is dropped because of a policy
template mismatch, increasing the XfrmInTmplMismatch counter in
/proc/net/xfrm_stat.

Since you say the duplicate IKE SA cannot always be detected during
establishment - would it be an option for Charon to detect them
afterwards and shut down one of the two SAs automatically?

RFC 5996 has a detailed recommendation on how to handle simultaneous
rekeying (section 2.8.1), but on a quick look I couldn't find anything
about IKE_SA_INIT/IKE_AUTH collisions explicitly.

Does Linux allow the installation of policies for both CHILD_SAs,
to allow incoming traffic on both?

Regards,
Mirko
-------------- next part --------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
  uptime: 4 minutes, since Oct 09 21:42:45 2012
  malloc: sbrk 147456, mmap 0, used 117440, free 30016
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Listening IP addresses:
  172.16.16.250
  89.246.160.239
Connections:
      daniel:  %any...%daniel.dyndns.org  IKEv1/2, dpddelay=30s
      daniel:   local:  [james.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=james"
      daniel:   remote: [C=DE, CN=daniel.dyndns.org] uses public key authentication
      daniel:    cert:  "C=DE, CN=daniel.dyndns.org"
      daniel:   child:  172.16.16.0/24 === 192.168.2.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
      daniel[1]: ESTABLISHED 4 minutes ago, 89.246.160.239[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
      daniel[1]: IKEv2 SPIs: 4895deead721a54c_i* 8a10b39872678933_r, public key reauthentication in 2 hours
      daniel[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      daniel{1}:  INSTALLED, TUNNEL, ESP SPIs: c0d8f93d_i c8bc1426_o
      daniel{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (191s ago), rekeying in 38 minutes
      daniel{1}:   172.16.16.0/24 === 192.168.2.0/24 
      daniel[2]: ESTABLISHED 4 minutes ago, 89.246.160.239[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
      daniel[2]: IKEv2 SPIs: 6b2130613f59f4c2_i e36034c62855bea6_r*, public key reauthentication in 2 hours
      daniel[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      daniel{2}:  INSTALLED, TUNNEL, ESP SPIs: cddf6852_i c03c2276_o
      daniel{2}:  AES_CBC_128/HMAC_SHA1_96, 84 bytes_i (102s ago), 0 bytes_o, rekeying in 38 minutes
      daniel{2}:   172.16.16.0/24 === 192.168.2.0/24 
-------------- next part --------------
src 89.246.160.239 dst 31.18.87.101
	proto esp spi 0xc8bc1426(3367769126) reqid 1(0x00000001) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2565(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  84(bytes), 1(packets)
	  add 2012-10-09 21:42:52 use 2012-10-09 21:43:53
	stats:
	  replay-window 0 replay 0 failed 0
src 31.18.87.101 dst 89.246.160.239
	proto esp spi 0xc0d8f93d(3235445053) reqid 1(0x00000001) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2848(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2012-10-09 21:42:52 use -
	stats:
	  replay-window 0 replay 0 failed 0
src 89.246.160.239 dst 31.18.87.101
	proto esp spi 0xc03c2276(3225166454) reqid 2(0x00000002) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2540(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2012-10-09 21:42:52 use -
	stats:
	  replay-window 0 replay 0 failed 0
src 31.18.87.101 dst 89.246.160.239
	proto esp spi 0xcddf6852(3453970514) reqid 2(0x00000002) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2669(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  84(bytes), 1(packets)
	  add 2012-10-09 21:42:52 use 2012-10-09 21:45:22
	stats:
	  replay-window 0 replay 0 failed 0
-------------- next part --------------
src 192.168.2.0/24 dst 172.16.16.0/24 
	dir fwd priority 1859 
	tmpl src 31.18.87.101 dst 89.246.160.239
		proto esp reqid 1 mode tunnel
src 192.168.2.0/24 dst 172.16.16.0/24 
	dir in priority 1859 
	tmpl src 31.18.87.101 dst 89.246.160.239
		proto esp reqid 1 mode tunnel
src 172.16.16.0/24 dst 192.168.2.0/24 
	dir out priority 1859 
	tmpl src 89.246.160.239 dst 31.18.87.101
		proto esp reqid 1 mode tunnel
[...]
-------------- next part --------------
Oct  9 21:42:45 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips)
Oct  9 21:42:45 00[LIB] plugin 'test-vectors' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'curl' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'ldap' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'mysql' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'sqlite' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'pkcs11' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'des' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'blowfish' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'sha2' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'md4' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'md5' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'revocation' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'constraints' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'pkcs8' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'pgp' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'dnskey' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'openssl' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'af-alg' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'fips-prf' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'agent' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'cmac' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'ctr' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'ccm' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'gcm' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'attr' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'attr-sql' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'load-tester' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'kernel-pfkey' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'kernel-klips' failed to load: File not found
Oct  9 21:42:45 00[KNL] listening on interfaces:
Oct  9 21:42:45 00[KNL]   eth0
Oct  9 21:42:45 00[KNL]   eth1
Oct  9 21:42:45 00[KNL]     fe80::224:8cff:fe54:eeca
Oct  9 21:42:45 00[KNL]   ifb0
Oct  9 21:42:45 00[KNL]     fe80::16:a8ff:feed:eae5
Oct  9 21:42:45 00[KNL]   br-lan
Oct  9 21:42:45 00[KNL]     172.16.16.250
Oct  9 21:42:45 00[KNL]     fe80::224:8cff:fe54:eeca
Oct  9 21:42:45 00[KNL]   pppoe-wan
Oct  9 21:42:45 00[KNL]     89.246.160.239
Oct  9 21:42:45 00[KNL]   wlan0
Oct  9 21:42:45 00[LIB] plugin 'resolve' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'socket-raw' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'socket-dynamic' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'farp' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'smp' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'sql' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'eap-identity' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'eap-md5' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'eap-mschapv2' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'xauth-generic' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'xauth-eap' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'dhcp' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'ha' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'whitelist' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'led' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'duplicheck' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'coupling' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'uci' failed to load: File not found
Oct  9 21:42:45 00[LIB] plugin 'addrblock' failed to load: File not found
Oct  9 21:42:45 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct  9 21:42:45 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct  9 21:42:45 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct  9 21:42:45 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct  9 21:42:45 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct  9 21:42:45 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct  9 21:42:45 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/jamesKey.pem'
Oct  9 21:42:45 00[DMN] loaded plugins: charon aes sha1 random nonce x509 pubkey pkcs1 pem gcrypt gmp xcbc hmac kernel-netlink socket-default stroke updown
Oct  9 21:42:45 00[JOB] spawning 16 worker threads
Oct  9 21:42:45 09[CFG] received stroke: add connection 'daniel'
Oct  9 21:42:45 09[CFG] left nor right host is our side, assuming left=local
Oct  9 21:42:45 09[CFG]   loaded certificate "C=DE, CN=james" from 'jamesCert.pem'
Oct  9 21:42:45 09[CFG]   loaded certificate "C=DE, CN=daniel.dyndns.org" from 'danielCert.pem'
Oct  9 21:42:45 09[CFG]   id 'daniel.dyndns.org' not confirmed by certificate, defaulting to 'C=DE, CN=daniel.dyndns.org'
Oct  9 21:42:45 09[CFG] added configuration 'daniel'
Oct  9 21:42:45 10[CFG] received stroke: initiate 'daniel'
Oct  9 21:42:45 10[IKE] queueing IKE_VENDOR task
Oct  9 21:42:45 10[IKE] queueing IKE_INIT task
Oct  9 21:42:45 10[IKE] queueing IKE_NATD task
Oct  9 21:42:45 10[IKE] queueing IKE_CERT_PRE task
Oct  9 21:42:45 10[IKE] queueing IKE_AUTH task
Oct  9 21:42:45 10[IKE] queueing IKE_CERT_POST task
Oct  9 21:42:45 10[IKE] queueing IKE_CONFIG task
Oct  9 21:42:45 10[IKE] queueing IKE_AUTH_LIFETIME task
Oct  9 21:42:45 10[IKE] queueing IKE_MOBIKE task
Oct  9 21:42:45 10[IKE] queueing CHILD_CREATE task
Oct  9 21:42:45 10[IKE] activating new tasks
Oct  9 21:42:45 10[IKE]   activating IKE_VENDOR task
Oct  9 21:42:45 10[IKE]   activating IKE_INIT task
Oct  9 21:42:45 10[IKE]   activating IKE_NATD task
Oct  9 21:42:45 10[IKE]   activating IKE_CERT_PRE task
Oct  9 21:42:45 10[IKE]   activating IKE_AUTH task
Oct  9 21:42:45 10[IKE]   activating IKE_CERT_POST task
Oct  9 21:42:45 10[IKE]   activating IKE_CONFIG task
Oct  9 21:42:45 10[IKE]   activating CHILD_CREATE task
Oct  9 21:42:45 10[IKE]   activating IKE_AUTH_LIFETIME task
Oct  9 21:42:45 10[IKE]   activating IKE_MOBIKE task
Oct  9 21:42:45 10[IKE] initiating IKE_SA daniel[1] to 31.18.87.101
Oct  9 21:42:45 10[IKE] IKE_SA daniel[1] state change: CREATED => CONNECTING
Oct  9 21:42:45 12[NET] received packet: from 31.18.87.101[500] to 89.246.160.239[500]
Oct  9 21:42:45 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  9 21:42:45 12[IKE] 31.18.87.101 is initiating an IKE_SA
Oct  9 21:42:45 12[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct  9 21:42:47 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  9 21:42:47 10[NET] sending packet: from 89.246.160.239[500] to 31.18.87.101[500]
Oct  9 21:42:47 13[NET] received packet: from 31.18.87.101[500] to 89.246.160.239[500]
Oct  9 21:42:47 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  9 21:42:49 14[MGR] ignoring request with ID 0, already processing
Oct  9 21:42:51 13[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 13[IKE] reinitiating already active tasks
Oct  9 21:42:51 13[IKE]   IKE_CERT_PRE task
Oct  9 21:42:51 13[IKE]   IKE_AUTH task
Oct  9 21:42:51 13[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 12[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  9 21:42:51 12[NET] sending packet: from 89.246.160.239[500] to 31.18.87.101[500]
Oct  9 21:42:51 11[NET] received packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:42:51 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  9 21:42:51 11[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 11[CFG] looking for peer configs matching 89.246.160.239[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  9 21:42:51 11[CFG] selected peer config 'daniel'
Oct  9 21:42:51 11[CFG]   using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 13[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct  9 21:42:51 13[IKE] establishing CHILD_SA daniel
Oct  9 21:42:51 11[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct  9 21:42:51 11[IKE] peer supports MOBIKE
Oct  9 21:42:51 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  9 21:42:51 11[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct  9 21:42:51 13[NET] sending packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:42:52 09[NET] received packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:42:52 09[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  9 21:42:52 09[CFG]   using trusted certificate "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:52 09[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' with RSA signature successful
Oct  9 21:42:52 09[IKE] IKE_SA daniel[1] established between 89.246.160.239[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  9 21:42:52 11[IKE] authentication of 'james.dyndns.org' (myself) with RSA signature successful
Oct  9 21:42:52 11[IKE] IKE_SA daniel[2] established between 89.246.160.239[james.dyndns.org]...31.18.87.101[C=DE, CN=daniel.dyndns.org]
Oct  9 21:42:52 11[IKE] IKE_SA daniel[2] state change: CONNECTING => ESTABLISHED
Oct  9 21:42:52 11[IKE] scheduling reauthentication in 10202s
Oct  9 21:42:52 11[IKE] maximum IKE_SA lifetime 10742s
Oct  9 21:42:52 09[IKE] IKE_SA daniel[1] state change: CONNECTING => ESTABLISHED
Oct  9 21:42:52 11[IKE] activating new tasks
Oct  9 21:42:52 11[IKE] nothing to initiate
Oct  9 21:42:52 09[IKE] scheduling reauthentication in 10081s
Oct  9 21:42:52 09[IKE] maximum IKE_SA lifetime 10621s
Oct  9 21:42:52 09[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct  9 21:42:52 09[IKE] CHILD_SA daniel{1} established with SPIs c0d8f93d_i c8bc1426_o and TS 172.16.16.0/24 === 192.168.2.0/24 
Oct  9 21:42:52 09[IKE] received AUTH_LIFETIME of 9893s, scheduling reauthentication in 9353s
Oct  9 21:42:52 11[IKE] CHILD_SA daniel{2} established with SPIs cddf6852_i c03c2276_o and TS 172.16.16.0/24 === 192.168.2.0/24 
Oct  9 21:42:52 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  9 21:42:52 09[IKE] peer supports MOBIKE
Oct  9 21:42:52 09[IKE] got additional MOBIKE peer address: 192.168.2.3
Oct  9 21:42:52 09[IKE] activating new tasks
Oct  9 21:42:52 09[IKE] nothing to initiate
Oct  9 21:42:52 11[NET] sending packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:21 16[IKE] sending DPD request
Oct  9 21:43:21 16[IKE] queueing IKE_DPD task
Oct  9 21:43:21 16[IKE] activating new tasks
Oct  9 21:43:21 16[IKE]   activating IKE_DPD task
Oct  9 21:43:21 16[ENC] generating INFORMATIONAL request 0 [ ]
Oct  9 21:43:21 16[NET] sending packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:21 13[NET] received packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:21 13[ENC] parsed INFORMATIONAL response 0 [ ]
Oct  9 21:43:21 13[IKE] activating new tasks
Oct  9 21:43:21 13[IKE] nothing to initiate
Oct  9 21:43:21 09[NET] received packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:21 09[ENC] parsed INFORMATIONAL request 0 [ ]
Oct  9 21:43:21 09[ENC] generating INFORMATIONAL response 0 [ ]
Oct  9 21:43:21 09[NET] sending packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:22 08[IKE] activating new tasks
Oct  9 21:43:22 08[IKE] nothing to initiate
Oct  9 21:43:51 10[IKE] sending DPD request
Oct  9 21:43:51 10[IKE] queueing IKE_DPD task
Oct  9 21:43:51 10[IKE] activating new tasks
Oct  9 21:43:51 10[IKE]   activating IKE_DPD task
Oct  9 21:43:51 10[ENC] generating INFORMATIONAL request 1 [ ]
Oct  9 21:43:51 10[NET] sending packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:51 15[NET] received packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:51 15[ENC] parsed INFORMATIONAL response 1 [ ]
Oct  9 21:43:51 15[IKE] activating new tasks
Oct  9 21:43:51 15[IKE] nothing to initiate
Oct  9 21:43:51 14[NET] received packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:51 14[ENC] parsed INFORMATIONAL request 1 [ ]
Oct  9 21:43:51 14[ENC] generating INFORMATIONAL response 1 [ ]
Oct  9 21:43:51 14[NET] sending packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:52 12[IKE] activating new tasks
Oct  9 21:43:52 12[IKE] nothing to initiate
-------------- next part --------------
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64):
  uptime: 35 minutes, since Oct 09 21:42:45 2012
  malloc: sbrk 1683456, mmap 0, used 1503488, free 179968
  worker threads: 4 of 16 idle, 11/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Listening IP addresses:
  31.18.87.101
  192.168.2.3
Connections:
       james:  %any...%james.dyndns.org  IKEv1/2, dpddelay=30s
       james:   local:  [C=DE, CN=daniel.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=daniel.dyndns.org"
       james:   remote: [james.dyndns.org] uses public key authentication
       james:    cert:  "C=DE, CN=james"
       james:   child:  192.168.2.0/24 === 172.16.16.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
       james[2]: ESTABLISHED 35 minutes ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
       james[2]: IKEv2 SPIs: 4895deead721a54c_i 8a10b39872678933_r*, public key reauthentication in 2 hours
       james[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       james{2}:  INSTALLED, TUNNEL, ESP SPIs: c8bc1426_i c0d8f93d_o
       james{2}:  AES_CBC_128/HMAC_SHA1_96, 264 bytes_i (813s ago), 0 bytes_o, rekeying in 10 minutes
       james{2}:   192.168.2.0/24 === 172.16.16.0/24 
       james[1]: ESTABLISHED 35 minutes ago, 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
       james[1]: IKEv2 SPIs: 6b2130613f59f4c2_i* e36034c62855bea6_r, public key reauthentication in 2 hours
       james[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       james{1}:  INSTALLED, TUNNEL, ESP SPIs: c03c2276_i cddf6852_o
       james{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 804 bytes_o (1022s ago), rekeying in 10 minutes
       james{1}:   192.168.2.0/24 === 172.16.16.0/24 
-------------- next part --------------
src 31.18.87.101 dst 89.246.160.239
	proto esp spi 0xcddf6852(3453970514) reqid 1(0x00000001) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2804(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  804(bytes), 13(packets)
	  add 2012-10-09 21:42:52 use 2012-10-09 21:45:22
	stats:
	  replay-window 0 replay 0 failed 0
src 89.246.160.239 dst 31.18.87.101
	proto esp spi 0xc03c2276(3225166454) reqid 1(0x00000001) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2775(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2012-10-09 21:42:52 use -
	stats:
	  replay-window 0 replay 0 failed 0
src 31.18.87.101 dst 89.246.160.239
	proto esp spi 0xc0d8f93d(3235445053) reqid 2(0x00000002) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2877(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  0(bytes), 0(packets)
	  add 2012-10-09 21:42:51 use -
	stats:
	  replay-window 0 replay 0 failed 0
src 89.246.160.239 dst 31.18.87.101
	proto esp spi 0xc8bc1426(3367769126) reqid 2(0x00000002) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth-trunc hmac(sha1) 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef (160 bits) 96
	enc cbc(aes) 0xdeadbeefdeadbeefdeadbeefdeadbeef (128 bits)
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 2779(sec), hard 3600(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  264(bytes), 4(packets)
	  add 2012-10-09 21:42:51 use 2012-10-09 21:43:53
	stats:
	  replay-window 0 replay 0 failed 0
-------------- next part --------------
src 172.16.16.0/24 dst 192.168.2.0/24 
	dir fwd priority 1859 ptype main 
	tmpl src 89.246.160.239 dst 31.18.87.101
		proto esp reqid 1 mode tunnel
src 172.16.16.0/24 dst 192.168.2.0/24 
	dir in priority 1859 ptype main 
	tmpl src 89.246.160.239 dst 31.18.87.101
		proto esp reqid 1 mode tunnel
src 192.168.2.0/24 dst 172.16.16.0/24 
	dir out priority 1859 ptype main 
	tmpl src 31.18.87.101 dst 89.246.160.239
		proto esp reqid 1 mode tunnel
[...]
-------------- next part --------------
Oct  9 21:42:45 daniel charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-3-amd64, x86_64)
Oct  9 21:42:45 daniel charon: 00[CFG] attr-sql plugin: database URI not set
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'attr-sql': failed to load - attr_sql_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[CFG] disabling load-tester plugin, not configured
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[KNL] listening on interfaces:
Oct  9 21:42:45 daniel charon: 00[KNL]   eth0
Oct  9 21:42:45 daniel charon: 00[KNL]     31.18.87.101
Oct  9 21:42:45 daniel charon: 00[KNL]     fe80::92fb:a6ff:fe8a:8ca6
Oct  9 21:42:45 daniel charon: 00[KNL]   dummy0
Oct  9 21:42:45 daniel charon: 00[KNL]     192.168.2.3
Oct  9 21:42:45 daniel charon: 00[KNL]     fe80::10e4:9aff:fe59:a6a2
Oct  9 21:42:45 daniel charon: 00[CFG] sql plugin: database URI not set
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Oct  9 21:42:45 daniel charon: 00[CFG] eap-simaka-sql database URI missing
Oct  9 21:42:45 daniel charon: 00[CFG] loaded 0 RADIUS server configurations
Oct  9 21:42:45 daniel charon: 00[TNC] MAP server certificate not defined
Oct  9 21:42:45 daniel charon: 00[CFG] missing PDP server name, PDP disabled
Oct  9 21:42:45 daniel charon: 00[CFG] mediation database URI not defined, skipped
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'medsrv': failed to load - medsrv_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[CFG] mediation client database URI not defined, skipped
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[CFG] HA config misses local/remote address
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[CFG] coupling file path unspecified
Oct  9 21:42:45 daniel charon: 00[LIB] plugin 'coupling': failed to load - coupling_plugin_create returned NULL
Oct  9 21:42:45 daniel charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct  9 21:42:45 daniel charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct  9 21:42:45 daniel charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct  9 21:42:45 daniel charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct  9 21:42:45 daniel charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct  9 21:42:45 daniel charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct  9 21:42:45 daniel charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/danielKey.pem'
Oct  9 21:42:45 daniel charon: 00[TNC] loading IMCs from '/etc/tnc_config'
Oct  9 21:42:45 daniel charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Oct  9 21:42:45 daniel charon: 00[TNC] TNC recommendation policy is 'default'
Oct  9 21:42:45 daniel charon: 00[TNC] loading IMVs from '/etc/tnc_config'
Oct  9 21:42:45 daniel charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
Oct  9 21:42:45 daniel charon: 00[DMN] loaded plugins: charon test-vectors curl soup ldap mysql sqlite pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default socket-raw socket-dynamic farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-ifmap tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist led radattr addrblock
Oct  9 21:42:45 daniel charon: 00[JOB] spawning 16 worker threads
Oct  9 21:42:45 daniel charon: 05[CFG] received stroke: add connection 'james'
Oct  9 21:42:45 daniel charon: 05[CFG] left nor right host is our side, assuming left=local
Oct  9 21:42:45 daniel charon: 05[CFG]   loaded certificate "C=DE, CN=daniel.dyndns.org" from 'danielCert.pem'
Oct  9 21:42:45 daniel charon: 05[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=DE, CN=daniel.dyndns.org'
Oct  9 21:42:45 daniel charon: 05[CFG]   loaded certificate "C=DE, CN=james" from 'jamesCert.pem'
Oct  9 21:42:45 daniel charon: 05[CFG] added configuration 'james'
Oct  9 21:42:45 daniel charon: 05[CFG] received stroke: initiate 'james'
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_VENDOR task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_INIT task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_NATD task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_CERT_PRE task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_AUTH task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_CERT_POST task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_CONFIG task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_AUTH_LIFETIME task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_MOBIKE task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing IKE_ME task
Oct  9 21:42:45 daniel charon: 05[IKE] queueing CHILD_CREATE task
Oct  9 21:42:45 daniel charon: 05[IKE] activating new tasks
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_VENDOR task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_INIT task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_NATD task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_CERT_PRE task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_ME task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_AUTH task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_CERT_POST task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_CONFIG task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating CHILD_CREATE task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_AUTH_LIFETIME task
Oct  9 21:42:45 daniel charon: 05[IKE]   activating IKE_MOBIKE task
Oct  9 21:42:45 daniel charon: 05[IKE] initiating IKE_SA james[1] to 89.246.160.239
Oct  9 21:42:45 daniel charon: 05[IKE] initiating IKE_SA james[1] to 89.246.160.239
Oct  9 21:42:45 daniel charon: 05[IKE] IKE_SA james[1] state change: CREATED => CONNECTING
Oct  9 21:42:45 daniel charon: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  9 21:42:45 daniel charon: 05[NET] sending packet: from 31.18.87.101[500] to 89.246.160.239[500]
Oct  9 21:42:47 daniel charon: 01[NET] received packet: from 89.246.160.239[500] to 31.18.87.101[500]
Oct  9 21:42:47 daniel charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct  9 21:42:47 daniel charon: 01[IKE] 89.246.160.239 is initiating an IKE_SA
Oct  9 21:42:47 daniel charon: 01[IKE] 89.246.160.239 is initiating an IKE_SA
Oct  9 21:42:47 daniel charon: 01[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct  9 21:42:47 daniel charon: 01[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:47 daniel charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  9 21:42:47 daniel charon: 01[NET] sending packet: from 31.18.87.101[500] to 89.246.160.239[500]
Oct  9 21:42:49 daniel charon: 04[IKE] retransmit 1 of request with message ID 0
Oct  9 21:42:49 daniel charon: 04[NET] sending packet: from 31.18.87.101[500] to 89.246.160.239[500]
Oct  9 21:42:51 daniel charon: 03[NET] received packet: from 89.246.160.239[500] to 31.18.87.101[500]
Oct  9 21:42:51 daniel charon: 03[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct  9 21:42:51 daniel charon: 03[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 daniel charon: 03[IKE] reinitiating already active tasks
Oct  9 21:42:51 daniel charon: 03[IKE]   IKE_CERT_PRE task
Oct  9 21:42:51 daniel charon: 03[IKE]   IKE_AUTH task
Oct  9 21:42:51 daniel charon: 03[IKE] sending cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 daniel charon: 03[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct  9 21:42:51 daniel charon: 03[IKE] establishing CHILD_SA james
Oct  9 21:42:51 daniel charon: 03[IKE] establishing CHILD_SA james
Oct  9 21:42:51 daniel charon: 03[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  9 21:42:51 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:42:51 daniel charon: 02[NET] received packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:42:51 daniel charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct  9 21:42:51 daniel charon: 02[IKE] received cert request for "C=DE, CN=daniel.dyndns.org"
Oct  9 21:42:51 daniel charon: 02[CFG] looking for peer configs matching 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
Oct  9 21:42:51 daniel charon: 02[CFG] selected peer config 'james'
Oct  9 21:42:51 daniel charon: 02[CFG]   using trusted certificate "C=DE, CN=james"
Oct  9 21:42:51 daniel charon: 02[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct  9 21:42:51 daniel charon: 02[IKE] peer supports MOBIKE
Oct  9 21:42:51 daniel charon: 02[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct  9 21:42:51 daniel charon: 02[IKE] authentication of 'C=DE, CN=daniel.dyndns.org' (myself) with RSA signature successful
Oct  9 21:42:51 daniel charon: 02[IKE] IKE_SA james[2] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
Oct  9 21:42:51 daniel charon: 02[IKE] IKE_SA james[2] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
Oct  9 21:42:51 daniel charon: 02[IKE] IKE_SA james[2] state change: CONNECTING => ESTABLISHED
Oct  9 21:42:51 daniel charon: 02[IKE] scheduling reauthentication in 9894s
Oct  9 21:42:51 daniel charon: 02[IKE] maximum IKE_SA lifetime 10434s
Oct  9 21:42:51 daniel charon: 02[IKE] activating new tasks
Oct  9 21:42:51 daniel charon: 02[IKE] nothing to initiate
Oct  9 21:42:51 daniel charon: 02[IKE] CHILD_SA james{2} established with SPIs c8bc1426_i c0d8f93d_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  9 21:42:51 daniel charon: 02[IKE] CHILD_SA james{2} established with SPIs c8bc1426_i c0d8f93d_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  9 21:42:51 daniel charon: 02[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  9 21:42:51 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:42:52 daniel charon: 05[NET] received packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:42:52 daniel charon: 05[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Oct  9 21:42:52 daniel charon: 05[CFG]   using trusted certificate "C=DE, CN=james"
Oct  9 21:42:52 daniel charon: 05[IKE] authentication of 'james.dyndns.org' with RSA signature successful
Oct  9 21:42:52 daniel charon: 05[IKE] IKE_SA james[1] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
Oct  9 21:42:52 daniel charon: 05[IKE] IKE_SA james[1] established between 31.18.87.101[C=DE, CN=daniel.dyndns.org]...89.246.160.239[james.dyndns.org]
Oct  9 21:42:52 daniel charon: 05[IKE] IKE_SA james[1] state change: CONNECTING => ESTABLISHED
Oct  9 21:42:52 daniel charon: 05[IKE] scheduling reauthentication in 9930s
Oct  9 21:42:52 daniel charon: 05[IKE] maximum IKE_SA lifetime 10470s
Oct  9 21:42:52 daniel charon: 05[IKE] delaying task initiation, IKE_AUTH exchange in progress
Oct  9 21:42:52 daniel charon: 05[IKE] CHILD_SA james{1} established with SPIs c03c2276_i cddf6852_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  9 21:42:52 daniel charon: 05[IKE] CHILD_SA james{1} established with SPIs c03c2276_i cddf6852_o and TS 192.168.2.0/24 === 172.16.16.0/24 
Oct  9 21:42:52 daniel charon: 05[IKE] received AUTH_LIFETIME of 10202s, scheduling reauthentication in 9662s
Oct  9 21:42:52 daniel charon: 05[IKE] peer supports MOBIKE
Oct  9 21:42:52 daniel charon: 05[IKE] got additional MOBIKE peer address: 172.16.16.250
Oct  9 21:42:52 daniel charon: 05[IKE] activating new tasks
Oct  9 21:42:52 daniel charon: 05[IKE] nothing to initiate
Oct  9 21:43:21 daniel charon: 02[NET] received packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:21 daniel charon: 02[ENC] parsed INFORMATIONAL request 0 [ ]
Oct  9 21:43:21 daniel charon: 02[ENC] generating INFORMATIONAL response 0 [ ]
Oct  9 21:43:21 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:21 daniel charon: 03[IKE] sending DPD request
Oct  9 21:43:21 daniel charon: 03[IKE] queueing IKE_DPD task
Oct  9 21:43:21 daniel charon: 03[IKE] activating new tasks
Oct  9 21:43:21 daniel charon: 03[IKE]   activating IKE_DPD task
Oct  9 21:43:21 daniel charon: 03[ENC] generating INFORMATIONAL request 0 [ ]
Oct  9 21:43:21 daniel charon: 03[NET] sending packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:21 daniel charon: 01[NET] received packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:21 daniel charon: 01[ENC] parsed INFORMATIONAL response 0 [ ]
Oct  9 21:43:21 daniel charon: 01[IKE] activating new tasks
Oct  9 21:43:21 daniel charon: 01[IKE] nothing to initiate
Oct  9 21:43:22 daniel charon: 05[IKE] activating new tasks
Oct  9 21:43:22 daniel charon: 05[IKE] nothing to initiate
Oct  9 21:43:51 daniel charon: 02[NET] received packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:51 daniel charon: 02[ENC] parsed INFORMATIONAL request 1 [ ]
Oct  9 21:43:51 daniel charon: 02[ENC] generating INFORMATIONAL response 1 [ ]
Oct  9 21:43:51 daniel charon: 02[NET] sending packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:51 daniel charon: 03[IKE] activating new tasks
Oct  9 21:43:51 daniel charon: 03[IKE] nothing to initiate
Oct  9 21:43:51 daniel charon: 01[IKE] sending DPD request
Oct  9 21:43:51 daniel charon: 01[IKE] queueing IKE_DPD task
Oct  9 21:43:51 daniel charon: 01[IKE] activating new tasks
Oct  9 21:43:51 daniel charon: 01[IKE]   activating IKE_DPD task
Oct  9 21:43:51 daniel charon: 01[ENC] generating INFORMATIONAL request 1 [ ]
Oct  9 21:43:51 daniel charon: 01[NET] sending packet: from 31.18.87.101[4500] to 89.246.160.239[4500]
Oct  9 21:43:51 daniel charon: 05[NET] received packet: from 89.246.160.239[4500] to 31.18.87.101[4500]
Oct  9 21:43:51 daniel charon: 05[ENC] parsed INFORMATIONAL response 1 [ ]
Oct  9 21:43:51 daniel charon: 05[IKE] activating new tasks
Oct  9 21:43:51 daniel charon: 05[IKE] nothing to initiate


More information about the Users mailing list